Posted: Mon 08 Feb 2010, 09:39 Post subject:
This is real, if you allow attackers to get that far.

The null-pointer de-reference vulnerability has been around for ages. The compiler optimization which removes the code which checks for this illustrates the serious problem of preserving semantics during optimization.

If you look for errors in preserving semantics, you can find them. Many optimizations could be characterized as "I hope this makes things faster without breaking anything". The surprise is not that he found such, it is the size of the class of vulnerabilities exposed.

In addition to actual problems of preserving well-defined semantics, there is the problem that many people writing code do not understand the precise semantics of the constructs they are using. This leads to another class of vulnerabilities, which might be classed as psychological. (Here's an example: if an integer is equal to its negation, it must be zero. Right?)

Linus is right in saying that no one should be surprised about attackers gaining root privileges if you let them make arbitrary kernel calls. He is off in a dreamworld if he doesn't recognize that running a LAMP installation (Linux, Apache, MySql, PHP) is a very common practice which can allow malicious programs from the web to do exactly that.

I'm convinced that a series of attacks on Puppy-related sites gained entry through PHP vulnerabilities.

Are you running a web server supporting PHP as root? In general, Puppy is careful not to allow remote exploits, because it expects the person operating it to be running as root.

For cases where it runs a server, there is a special, limited-privilege user named spot. The default HTML server is Hiawatha, not Apache. If you are careful to set up a default firewall before you go on-line, you should be browsing in "stealth" mode. For most purposes, a remote program can't even tell if your ports exist.

An attacker who expends the hours of highly-skilled time required to crack a Puppy system will be dismayed to learn the exploit has a very limited target population. An exploit which works on 4.3.1 probably won't work on many puplets. A straightforward economic analysis suggests he would be far better off cracking Ubuntu systems. As for Windows, consider the following.

If you think this is "a disaster" you must not know the current state of internet security. A recent study found 48% of computers already infected. In this case, there is no need to "crack" these systems, they are already cracked. (There is an underground economy on which system crackers might sell such systems to those who exploit them for perhaps 10 cents apiece. How much skilled time can you buy with 10 cents?) A study by other security researchers, using a different methodology, could probably go back and find infected systems that report missed.

The kernel should be compiled with -fno-delete-null-pointer-checks
to remove the possibility of these kinds of vulnerabilities
turning exploitable in the future which would be impossible to spot
at the source level without this knowledge.

This problem introduced by compiler optimization brings us closer to a nightmare possibility Ken Thompson described in his Reflections on Trusting Trust. N.B. At the time he wrote this, M$ was working for IBM. The famous 1984 Apple MacIntosh ad was aimed at IBM.

I always knew pointers were evil. Sure, they act like they're your friend, building linked lists and passing variables without wasting time and space allocating new memory. As soon as your project deadline approaches, however, they start writing over some other program's memory space and getting accidentally set to NULL._________________Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

If you read later post details on that site you will see that this bug and the wi-fi bug have been solved in the newer kernel._________________Rob
-
The moment after you press "Post" is the moment you actually see the typso

If you read later post details on that site you will see that this bug and the wi-fi bug have been solved in the newer kernel.

Well...it is solved for the particular instance in which it was found in the /devices/net/tun device setup source...but that is not to say that a similar null pointer vulnerability might not be introduced in code for some other device elsewhere in the kernel source, now and in the future.

So, if compiling the kernel with gcc, and if using the usual Puppy kernel-compile sequence of

make distclean
make clean
(or, in lieu of the above, make mrproper)
make menuconfig
make
make modules_install

...the -fno-delete-null-pointer-checks CFLAG should be invoked, by appending it to the line which sets HOSTCFLAGS in the top-level kernel Makefile--for example, in 2.6.31.6, changing the line in /usr/src/linux-2.6.31.6/Makefile from

AAAArgh
I was feeling all smug this morning because I was thinking I was Mostly safe from Malware and such. Last night I downloaded a small "Free" piece of software on my Puppy to install on my Old XP box to try and network my new Ancient IBM Thinkpad running win95 to XP . I have to do this because it's now the only way to transfer files over to it via a Direct Cable Connection. Well Low and behold soon as I executed the file it installed a nasty Virus on the XP box. At least it had the decency to inform me right away! LOL I am reformatting it as I write this.

I came on here to see if there were any Puplets made just for Virus scanning and such when I saw the new thread on Rootkits in Puppy! I quickly ran to the kitchen for my colander and neatly wrapped it in tin foil to prepare for battle!

After much reading in here I guess it just comes down to playing it safe with some preparation and luck. If I had virgin hardware, plenty of software protection and never let my computer get on the net or swap files with another, perhaps I would be at very low risk. But Life is only fun when there is some risk involved so I guess it goes with the territory to some extent.

This exploit on the Kernel brings up another question for me now. Does the feature "Trim the Fat" when installing Pets also create this vulnerability as well?

PS. Would it be safer to use an IBM mainframe from the mid 60's using only a card reader to get on the net? Or would they use the Y2k Bug to "Poke Holes" in it too?

Kirby_________________"When you come to your cross roads, step off the road and go down the path of your own making".
~Bohemian proverb~

*edit* "When you're lost in the woods from straying from the road, Always be sure to carry a Flashlight!"
~Improved Bohemian Proverb~

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum